Migrating email to the cloud as a security strategy

I feel like this article could have been written about 5 years ago, but there are still many organizations that aren’t leveraging a security-rich, cloud-based email system such as Office 365.  Let’s face it, notwithstanding hard-dollar cost reduction, rarely is there a business need to switch email systems or email providers.  Migrating email to the cloud is no different – unless the cloud has a compelling story.

Cloud Economics

In the recent past, I have found that it has been consistently difficult to find financial justification for moving email services to the cloud.  Many times, it is hard to prove that the investment will pay off and quite often, it ends up simply being more expensive. While soft costs are something that should be considered, many small businesses don’t put as much weight in soft costs as they do hard-dollar savings, so gaining any traction on these types of projects is tough.

The Cloud for Risk Mitigation

Why then, should we be considering such a move?  Reducing risk.  I have seen many different implementations of email systems and they typically consist of a cluster of servers with a disc array attached.  Redundancy is accomplished with a combination of application features and tools-based replication; not to mention backup.  Disk-to-disk and tape backup still exist to supplement grandfathering retention requirements.  Add on the need for an eDiscovery solution and true mailbox archiving, and you have yourself quite a robust system that likely grew incrementally over the years.  That’s a large footprint already, but we’re not done. We haven’t even started discussing email encryption, data loss protection, mobile access, storage sprawl, and the various spam and malware mitigation that is attached to most systems.  When it comes right down to it, the on-premises email eco-system is huge, has a lot of moving parts and is difficult to manage, which makes it clear that it poses a major risk to the organization.

Many IT folks still running in-house email systems might call it heresy to suggest that we should entertain a cloud-based strategy to enhance security and reduce risk, but when you take an objective look at the email mess that exists in many organizations, it only makes sense.

Cloud advocates like to tout the many benefits of the cloud, whether it be the elastic nature of cloud services or the availability of immense computing power at your fingertips.  Lately its becoming a conversation of capability and simplicity – two very important components of a security strategy.

Some of my duties as a consultant have me tasked with running cost/benefit analyses, forecasting spend and justifying capital expenditures.  As cloud technologies continued to mature, it was clear to me that there are many features offered in cloud-based email offerings that are either not available with in-house email or that those features will add cost and complexity to the already complex environment.

Here are some examples of what can be accomplished (or consolidated) with Office 365 and Microsoft’s offering in Azure:

  • Self-Service Password Reset
  • Data Loss Prevention (DLP)
  • Mobile Device Management (MDM)
  • Email Encryption
  • Multi-factor Authentication (MFA)
  • Archiving, eDiscovery & Retention
  • Rights Management (RMS)

How many of the technologies above do you have in your on-premises email deployment?  How many vendors does this represent?

Don’t get me wrong, cloud-based offerings aren’t for everyone.  Like any initiative, a healthy risk-based review should be incorporated into any potential project, or corporate initiative.  There are also challenges with the cloud and hybrid environments, but understanding these challenges and exploring opportunities (reducing risk by reducing complexity, taking advantage of advanced security solutions and consolidating vendors), will likely lead you toward identifying cloud based email, such as Office 365 as a great approach for your organization.

If you’d like to learn more about securing your hybrid or cloud environment, we’d be happy to help. You can give us a call at 630.832.0075 or send us an email at info@peters.com.

By |2018-12-18T12:13:19-05:00June 21st, 2017|Security Solutions|Comments Off on Migrating email to the cloud as a security strategy

About the Author:

As the Information Security Architect at Peters & Associates, Thomas Johnson (TJ) is responsible for providing security and compliance leadership. This includes such areas as vendor management, disaster recovery, business continuity, data protection, security products, budgeting and risk management. He has over 25 years of experience in security and technology and has extensive compliance related expertise in banking and healthcare. TJ holds many security related certifications as well as a Master’s Degree in Information Technology Management with a specialization in Information Security from the Illinois Institute of Technology in Technology. TJ focuses on Security Leadership, Risk Management, Information Security Assessments, Compliance Management and DR / BCP.